We do not mean to imply that the subject documents have suddenly taken on a new, higher level of importance to the CVE Editorial Board. To the contrary, we have
developed many unwritten rules over the years – some of which may be buried in pages of Board discussion threads from years ago, others of which were decided internally by MITRE or developed as “common practice” – and we are beginning to document these rules
and practices explicitly. In this case, we simply thought we’d start by picking off the processes and documents that would be most straightforward, and where we thought the Board would be most likely to quickly come to agreement. As always, we are actively
seeking Board member comments and suggestions on both documents, and we plan to discuss them during the Board meeting at RSA.

I’m not surprised the documents look like efforts for the OVAL Board – we spoke with the OVAL team quite a bit leading up to those efforts. Your comments based
on the efforts relating to the OVAL Board are well-founded, as are the cautions. CVE has traditionally been a “one member – one vote” model, regardless of whether the member was an independent or an organization, as we saw during the Syntax ID change voting.

We do not want nor expect the Board to ever be comprised solely of organizational representatives. By its nature and purpose, the CVE Editorial Board should,
and always continue to, be representative of the entire community. That alone requires that the Board include independent members. We mention that point (albeit not very explicitly) on the CVE Editorial Board web page, and leave it open in the draft documents.
I personally like the way you phrased the Board membership as “…based on the individuals who have contributed to this community and to CVE.”
I can see places in the document where we can make it more explicit that we seek independent members that can contribute and who view CVE Editorial Board membership to hold (again, as you said), “a personal responsibility to the community.”

With respect to the comment in the document encouraging organizations to have “an implementer and a liaison,” we put that in partly to try to encourage more engagement
within organizations where the “implementer” (or, to Carsten’s point, technical) member
can sometimes be invisible to those in an organization who
might or should otherwise understand CVE within their own organizational context.

We agree that Board members should be active and engaged, and we are seeking comments on the drafts to help us formalize CVE’s and the community’s best interests.

Can I ask why this is important now? Not like it has been an issue since 2001… ;-) I am really just a bit curious. This looks like something we put together on the OVAL Board. There
was a reason we did so there that may not be all that valuable here. The intent was to assure promotion of OVAL and at the same time we were seeing a growing numberer of companies asking to have more that one representative. We wanted to: (From the OVAL Board
info)

In an effort to guard against organizational bias, a single organization may be represented by a maximum of two individuals
with the expectation that one individual would be focused on strategic direction and the other individual would be focused more on technical decisions.

We also only allowed one vote per organization because not all organizations had two members. In reality the process
cost us a good participating individual. We had a situation where one organization ended up with three people and the organization decided who would be on the list. This meant we lost one of the more consistent contributors while keeping less a participating
member.

I have always felt the CVE Editorial Board not to be organizationally-based but rather based on the individuals who have contributed to this community and to CVE. Yes, because we have more
than one person from specific companies, the voting process needs to use the organizational slant to reduce the possibility of organizational bias in the vote results but I have always viewed the Board not as an organizational responsibility but a personal
one because of my belief in the value of CVE.

Recommending two people from each company seems to bloat and dilute the Board. By injecting those who are not as passionate about CVE and its value, we end up with individuals who look at this more as a resume
item instead of a personal responsibility to the community.